Marcher Android Malware –Same Tune, Different Lyrics

Recently, security researchers have been warning consumers about Marcher, an early Trojan for Android targeting banks.The Trojan first appeared to be affecting banking applications in Argentina, Colombia, Mexico, Peru, Chile and Brazil, but has now expanded to the United States and rest of the world.

Marcher seems to be an evolution of the Acecard malware that surfaced late last year, based on the following shared characteristics:

affects Android 5.1 and earlier versions

requests dangerous permissions, such as allowing the app to read a device’s contacts or send and receive text messages

requests admin rights

monitors play stores, Gmail and banking applications, even PayPal

Technical Features

Using reverse engineering, our team compared the malware’s technical features and found the same security breach that had been exposed by Android API to implement an identical attack. We also uncovered similar procedures related to certain banking and non-financial apps, namely that in all instances the apps requested the same permissions and administration rights as Acecard.

Interestingly, we found only a few differences, namely that the apps were not stored in the file on the RAW path. Further, we found a slight difference between Marcher and Acecard, but only in regards to the name, icons and pop-up windows such as the one pictured below. Besides those small differences, Marcher and Acecard are virtually the same malware, making it easier to combat this malware variation.

Screenshot of the Acecard malware appScreenshot of the Marcher malware app

Fighting Fire with Fire

Because of their similarities, the same techniques used in avoiding Acecard can be employed to avoid Marcher:

Users should update their Android system to a version higher than 5.1 to the latest version to prevent malware attacks.

Users should always review permissions before downloading an app. Permissions such as allowing an app to record conversations, read texts or change a wifi state should be red flags to users.

Users should only download apps from authorized stores, such as the Google Play Store.

The Google Play store should be vigilant about removing apps with suspicious permissions.

We will continue to see modified malware impacting regions and malware with similar properties affecting other regions, as the overlapping techniques can be detrimental to a wide range of financial applications. That is why having crosscutting protection, such as the ability to detect overlay attacks and pharming, is so important. It limits the ability of certain attacks so companies do not need to rely only on blacklisting. Organizations must detect targeted and active attacks rather than just detecting the presence of malware.

Jhoan Mauricio is a Software Engineering Expert at Easy Solutions. He has more than four years of experience designing, programing and testing software across a variety of platforms, and has worked on numerous projects related to detection and prevention of electronic fraud. His analytical and problem solving skills facilitate the development of new ideas and improve existing concepts.